For what its worth, I believe this is an issue with LDAP Plugin as I was able to recreate it without Role Based auth using Matrix based auth as well
>From a little digging I did, it appears it is some odd permissions issue, as if you grand the user explicit admin rights ahead of time, it can read the groups - but any other kind of user fails. This of course makes LDAP Groups completely useless as only admins can see them. I filed a ticket with LDAP Plugin team: https://issues.jenkins-ci.org/browse/JENKINS-37858 -M On Monday, August 15, 2016 at 3:59:56 PM UTC-5, Michael Lasevich wrote: > > I am trying to do something I thought I have done many times before, but > it is not working now - using Roles based Authorization with LDAP > authentication and specifically LDAP Groups > > I believe I have LDAP Authentication setup and working for both users and > groups > I believe I have Role based authentication set up. > > Granting roles to LDAP users directly - either global or project roles - > works. I can login with LDAP user and get expected permissions. Granting > roles to 'authenticated' also seems to work. > > However if I grant permissions to LDAP group - it just does not work. > > I am very confused why assigning roles to groups does not work. > > Few thoughts and observations: > > * "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to > them. > > * "User status" UI (/user/username URI) shows groups for the use and I > even ran that LDAP test groovy script that worked as expected. Although... > > * "User Status" only shows groups to "admin" user. A regular use with just > access to run specific jobs does not see their own groups - perhaps > something is blocking non-admin users from reading their own groups? > > * Increasing logging shows that a user that was granted admin rights > directly has all the groups in the "Granted Authorities" but non-admin user > only has "authenticated" - interestingly enough admin user does NOT have > 'authenticated'... > > * Don't think it is relevant here, but in the past I recall having to do a > special prefix for groups (like '@' I think) - not sure if this is still > necessary > > > Versions -- Running this on: > > * Jenkins 2.10 > * LDAP Plugin 1.12 > * Role Based Authorization Strategy 2.3.2 > > Any thoughts or suggestions would be appreciated.... > > Thanks, > > -Michael > > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/88b7ff85-7488-48e6-9152-5da465e1c781%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
